b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n Information Technology Management Letter for the \n\n  FLETC Component of the FY 2013 Department of \n\n    Homeland Security Financial Statement Audit \n\n\n\n\n\nOIG-14-84                                  April 2014\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\xc2\xa0\n                                      April\xc2\xa029,\xc2\xa02014\xc2\xa0\n\xc2\xa0   \xc2\xa0    \xc2\xa0      \xc2\xa0\n\xc2\xa0\nMEMORANDUM\xc2\xa0FOR:\xc2\xa0\xc2\xa0            Sandy\xc2\xa0Peavy\xc2\xa0\n                             Chief\xc2\xa0Information\xc2\xa0Officer\xc2\xa0\n\xc2\xa0      \xc2\xa0      \xc2\xa0       \xc2\xa0      Federal\xc2\xa0Law\xc2\xa0Enforcement\xc2\xa0Training\xc2\xa0Center\xc2\xa0\n\xc2\xa0\n                             Donald\xc2\xa0R.\xc2\xa0Lewis\xc2\xa0\n                             Assistant\xc2\xa0Director\xc2\xa0\xc2\xa0\n\xc2\xa0     \xc2\xa0       \xc2\xa0       \xc2\xa0      Federal\xc2\xa0Law\xc2\xa0Enforcement\xc2\xa0Training\xc2\xa0Center\xc2\xa0\n\xc2\xa0\nFROM:\xc2\xa0                       Richard\xc2\xa0Harsche\xc2\xa0\n                             Acting\xc2\xa0Assistant\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n                             Office\xc2\xa0of\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Audits\xc2\xa0\n\xc2\xa0\nSUBJECT:\xc2\xa0                    Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0Letter\xc2\xa0for\xc2\xa0the\xc2\xa0\n                             Federal\xc2\xa0Law\xc2\xa0Enforcement\xc2\xa0Training\xc2\xa0Center\xc2\xa0Component\xc2\xa0of\xc2\xa0\n                             the\xc2\xa0FY\xc2\xa02013\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0\n                             Statement\xc2\xa0Audit\xc2\xa0\n\xc2\xa0\nAttached\xc2\xa0for\xc2\xa0your\xc2\xa0information\xc2\xa0is\xc2\xa0our\xc2\xa0final\xc2\xa0report,\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Management\xc2\xa0\nLetter\xc2\xa0for\xc2\xa0the\xc2\xa0Federal\xc2\xa0Law\xc2\xa0Enforcement\xc2\xa0Training\xc2\xa0Center\xc2\xa0Component\xc2\xa0of\xc2\xa0the\xc2\xa0FY\xc2\xa02013\xc2\xa0\nDepartment\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0Financial\xc2\xa0Statement\xc2\xa0Audit.\xc2\xa0This\xc2\xa0report\xc2\xa0contains\xc2\xa0\ncomments\xc2\xa0and\xc2\xa0recommendations\xc2\xa0related\xc2\xa0to\xc2\xa0information\xc2\xa0technology\xc2\xa0internal\xc2\xa0control\xc2\xa0\ndeficiencies\xc2\xa0that\xc2\xa0were\xc2\xa0not\xc2\xa0required\xc2\xa0to\xc2\xa0be\xc2\xa0reported\xc2\xa0in\xc2\xa0the\xc2\xa0Independent\xc2\xa0Auditors\xe2\x80\x99\xc2\xa0Report.\xc2\xa0\xc2\xa0\n\xc2\xa0\nWe\xc2\xa0contracted\xc2\xa0with\xc2\xa0the\xc2\xa0independent\xc2\xa0public\xc2\xa0accounting\xc2\xa0firm\xc2\xa0KPMG\xc2\xa0LLP\xc2\xa0(KPMG)\xc2\xa0to\xc2\xa0\nconduct\xc2\xa0the\xc2\xa0audit\xc2\xa0of\xc2\xa0Department\xc2\xa0of\xc2\xa0Homeland\xc2\xa0Security\xc2\xa0fiscal\xc2\xa0year\xc2\xa0(FY)\xc2\xa02013\xc2\xa0\nconsolidated\xc2\xa0financial\xc2\xa0statements.\xc2\xa0The\xc2\xa0contract\xc2\xa0required\xc2\xa0that\xc2\xa0KPMG\xc2\xa0perform\xc2\xa0its\xc2\xa0audit\xc2\xa0\naccording\xc2\xa0to\xc2\xa0generally\xc2\xa0accepted\xc2\xa0government\xc2\xa0auditing\xc2\xa0standards\xc2\xa0and\xc2\xa0guidance\xc2\xa0from\xc2\xa0the\xc2\xa0\nOffice\xc2\xa0of\xc2\xa0Management\xc2\xa0and\xc2\xa0Budget\xc2\xa0and\xc2\xa0the\xc2\xa0Government\xc2\xa0Accountability\xc2\xa0Office.\xc2\xa0KPMG\xc2\xa0is\xc2\xa0\nresponsible\xc2\xa0for\xc2\xa0the\xc2\xa0attached\xc2\xa0management\xc2\xa0letter\xc2\xa0dated\xc2\xa0March\xc2\xa011,\xc2\xa02014,\xc2\xa0and\xc2\xa0the\xc2\xa0\nconclusion\xc2\xa0expressed\xc2\xa0in\xc2\xa0it.\xc2\xa0\n\xc2\xa0\nPlease\xc2\xa0call\xc2\xa0me\xc2\xa0with\xc2\xa0any\xc2\xa0questions,\xc2\xa0or\xc2\xa0your\xc2\xa0staff\xc2\xa0may\xc2\xa0contact\xc2\xa0Sharon\xc2\xa0Huiswoud,\xc2\xa0Director,\xc2\xa0\nInformation\xc2\xa0Systems\xc2\xa0Audit\xc2\xa0Division,\xc2\xa0at\xc2\xa0(202)\xc2\xa0254\xe2\x80\x905451.\xc2\xa0\n\xc2\xa0\nAttachment\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nMarch 11, 2014\n\n\nOffice of Inspector General,\nU.S. Department of Homeland Security, and\n\nChief Information Officer and Chief Financial Officer,\n\nU.S. Department of Homeland Security Federal Law Enforcement Training Center\n\nLadies and Gentlemen:\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the year ended September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2013\nfinancial statements\xe2\x80\x9d), and have issued our report thereon dated December 11, 2013. In planning and\nperforming our audit of the financial statements of DHS, in accordance with auditing standards\ngenerally accepted in the United States of America and Government Auditing Standards, we\nconsidered internal control over financial reporting (internal control) as a basis for designing our\nauditing procedures for the purpose of expressing our opinion on the financial statements. In\nconjunction with our audit of the financial statements, we also performed an audit of internal control\nover financial reporting in accordance with attestation standards issued by the American Institute of\nCertified Public Accountants.\n\nIn accordance with Government Auditing Standards, our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 11, 2013, included internal control deficiencies identified during our audit that, in aggregate,\nrepresented a material weakness in information technology (IT) controls and financial system\nfunctionality at the DHS Department-wide level. This letter represents the separate limited distribution\nreport mentioned in that report, of matters related to the Federal Law Enforcement Training Center\n(FLETC) and the Offices of Intelligence & Analysis and Operations Coordination and Planning\n(I&A/OPS).\n\nDuring our audit we noted certain matters involving internal control and other operational matters that\nare presented for your consideration. These comments and recommendations, all of which have been\ndiscussed with the appropriate members of management and communicated through Notices of\nFindings and Recommendations (NFRs), are intended to improve internal control or result in other\noperating efficiencies and are summarized as described below.\n\nWith respect to FLETC\xe2\x80\x99s and I&A/OPS\xe2\x80\x99 financial systems\xe2\x80\x99 IT controls, we noted certain matters in the\nareas of access controls, segregation of duties, and IT application controls. These matters are described\nin the General IT Control Findings and Recommendations and IT Application Controls sections of this\nletter.\n\nThe Table of Contents identifies each section of the letter. We have provided a description of key\nFLETC and I&A/OPS financial systems and IT infrastructure within the scope of the FY 2013 DHS\nfinancial statement audit in Appendix A, and a listing of each IT NFR communicated to management\nduring our audit in Appendix B.\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cDuring our audit we noted certain matters involving financial reporting internal controls (comments\nnot related to IT) and other operational matters, including certain deficiencies in internal control that\nwe consider to be significant deficiencies and material weaknesses, and communicated them in writing\nto management and those charged with governance in our Independent Auditors\xe2\x80\x99 Report and in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nOur audit procedures are designed primarily to enable us to form an opinion on the financial statements\nand on the effectiveness of internal control over financial reporting, and therefore may not bring to\nlight all deficiencies in policies or procedures that may exist. We aim, however, to use our knowledge\nof DHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be\nuseful to you.\n\nWe would be pleased to discuss these comments and recommendations with you at any time.\n\nThe purpose of this letter is solely to describe comments and recommendations intended to improve\ninternal control or result in other operating efficiencies. Accordingly, this letter is not suitable for any\nother purpose.\n\nVery truly yours,\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                Federal Law Enforcement Training Center\n\n                                          September 30, 2013\n\n\n                                       TABLE OF CONTENTS\n\n                                                                                            Page\nObjective, Scope, and Approach                                                               2\n\nSummary of Findings                                                                          4\n\nGeneral IT Control Findings and Recommendations                                              5\n\n   Findings                                                                                  5\n\n       Access Controls                                                                       5\n\n       Segregation of Duties                                                                 5\n\n   Recommendations                                                                           5\n\n       Access Controls                                                                       5\n\n       Segregation of Duties                                                                 6\n\nIT Application Controls                                                                      7\n\n\n                                            APPENDICES\n\nAppendix                                        Subject                                     Page\n           Description of Key FLETC and I&A/OPS Financial Systems and IT                      8\n   A\n           Infrastructure within the Scope of the FY 2013 DHS Financial Statement Audit \n\n   B       FY 2013 IT Notices of Findings and Recommendations at FLETC and I&A/OPS           10\n\n\n\n\n\n                                                  1\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                Federal Law Enforcement Training Center\n\n                                          September 30, 2013\n\n\n                              OBJECTIVE, SCOPE, AND APPROACH \n\n\nObjective\n\nWe have audited the financial statements of the U.S. Department of Homeland Security (DHS or\nDepartment) for the fiscal year that ended on September 30, 2013 (referred to herein as the \xe2\x80\x9cfiscal year\n(FY) 2013 financial statements\xe2\x80\x9d). In connection with our audit of the FY 2013 financial statements, we\nperformed an evaluation of selected general information technology (IT) controls (GITCs) and IT\napplication controls at the Federal Law Enforcement Training Center (FLETC) and the Offices of\nIntelligence & Analysis and Operations Coordination and Planning (I&A/OPS) to assist in planning and\nperforming our audit engagement.\n\nScope\n\nThe scope of our GITC and IT application control test work is described in Appendix A, which provides a\ndescription of the key FLETC and I&A/OPS financial systems and IT infrastructure within the scope of\nthe FLETC component of the FY 2013 DHS consolidated financial statement audit.\n\nApproach\n\nGeneral Information Technology Controls\n\nThe Federal Information System Controls Audit Manual (FISCAM), issued by the U.S. Government\nAccountability Office, formed the basis of our GITC evaluation procedures.\n\nFISCAM was designed to inform financial statement auditors about IT controls and related audit concerns\nto assist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial statement audit. FISCAM also provides guidance to auditors when considering the scope and\nextent of review that generally should be performed when evaluating GITCs and the IT environment of a\nFederal agency. FISCAM defines the following five control categories to be essential to the effective\noperation of GITCs and the IT environment:\n\n\xef\xbf\xbd\t Security Management \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity for\n   managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy\n   of computer-related security controls.\n\n\xef\xbf\xbd\t Access Control \xe2\x80\x93 Controls that limit or detect access to computer resources (data, programs,\n   equipment, and facilities) and protect against unauthorized modification, loss, and disclosure.\n\n\xef\xbf\xbd\t Configuration Management \xe2\x80\x93 Controls that help to prevent unauthorized changes to information\n   system resources (software programs and hardware configurations) and provide reasonable assurance\n   that systems are configured and operating securely and as intended.\n\n   \xef\xbf\xbd\t We performed technical information security testing for key FLETC network and system devices.\n      The technical security testing was performed from within select DHS facilities and focused on\n\n\n                                                    2\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                Federal Law Enforcement Training Center\n\n                                          September 30, 2013\n\n\n       production devices that directly support DHS\xe2\x80\x99 and FLETC\xe2\x80\x99s financial processing and key general\n       support systems.\n\n\xef\xbf\xbd\t Segregation of Duties \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational structure\n   to manage who can control key aspects of computer-related operations.\n\n\xef\xbf\xbd\t Contingency Planning \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nIT Application Controls\n\nWe performed testing over selected key IT application controls on financial systems and applications to\nassess the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions. FISCAM defines application controls as the structure, policies, and procedures that apply to\nseparate, individual application systems, such as accounts payable, inventory, or payroll.\n\n\n\n\n                                                     3\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter \n\n                               Federal Law Enforcement Training Center\n\n                                         September 30, 2013\n\n\n                                     SUMMARY OF FINDINGS\n\nDuring FY 2012, FLETC took corrective action to address certain prior year IT control deficiencies. For\nexample, FLETC made improvements over strengthening controls around segregation of duties and\nconfiguration management. However, during FY 2013, we continued to identify GITC deficiencies that\ncould potentially impact FLETC\xe2\x80\x99s and I&A/OPS\xe2\x80\x99 financial data related to controls over access control,\nsegregation of duties, and IT application controls for the FLETC and I&A/OPS core financial and feeder\nsystems and associated General Support System environments.\n\nCollectively, the IT control deficiencies limited FLETC\xe2\x80\x99s and I&A/OPS\xe2\x80\x99 ability to ensure that critical\nfinancial and operational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these deficiencies negatively impacted the internal controls over FLETC\xe2\x80\x99s and\nI&A/OPS\xe2\x80\x99 financial reporting and its operations.\n\nOf the eleven IT Notices of Findings and Recommendations (NFRs) issued during our FY 2013 testing,\none was a repeat finding from the prior year, and ten were new findings. The eleven IT NFRs issued\nrepresent deficiencies in two of the five FISCAM GITC categories as well as in the area of IT application\ncontrols.\n\nThe majority of findings resulted from the lack of properly documented, fully designed and implemented,\nadequately detailed, and consistently implemented financial system controls to comply with DHS\nSensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and\nNational Institute of Standards and Technology guidance. Specifically, the findings stem from:\n\n    1. Inadequately designed and ineffective access control policies and procedures relating to the\n       management of logical access to financial applications, databases, and support systems;\n    2. Insufficient logging of system events and monitoring of audit logs; and\n    3. Improper configuration of application controls to prevent recording of improper expenses.\n\nThese deficiencies may increase the risk that the confidentiality, integrity, and availability of system\ncontrols and FLETC\xe2\x80\x99s and I&A/OPS\xe2\x80\x99 financial data could be exploited, thereby compromising the\nintegrity of FLETC and I&A/OPS financial data used by management and reported in FLETC\xe2\x80\x99s,\nI&A/OPS\xe2\x80\x99, and DHS\xe2\x80\x99 financial statements.\n\nWhile the recommendations made by us should be considered by FLETC and I&A/OPS, it is the ultimate\nresponsibility of FLETC and I&A/OPS management to determine the most appropriate method(s) for\naddressing the deficiencies identified.\n\n\n\n\n                                                    4\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter \n\n                               Federal Law Enforcement Training Center\n\n                                         September 30, 2013\n\n\n               GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\n\nFindings\n\nDuring our audit of the FY 2013 DHS financial statements, we identified the following FLETC and\nI&A/OPS GITC deficiencies.\n\nAccess Controls\n\n\xef\xbf\xbd\t Audit logs for the FLETC and I&A/OPS Momentum applications were not consistently or timely\n   reviewed by management in accordance with DHS and FLETC policy.\n\n\xef\xbf\xbd\t DHS requirements for password complexity were not fully implemented for accounts on the Glynco\n   Administrative Network (GAN).\n\n\xef\xbf\xbd\t FLETC and IA&OPS management did not maintain listings of separated contractors to support proper\n   monitoring controls around contractor access to the respective Momentum environments.\n\n\xef\xbf\xbd\t Account management activities on the FLETC and I&A/OPS Momentum environments, including\n   implementation of account inactivity controls, authorization of profile changes, deactivation of\n   accounts, and management of generic accounts, were not consistently or timely implemented or\n   documented in accordance with FLETC policy.\n\nSegregation of Duties\n\n\xef\xbf\xbd\t FLETC personnel were granted access to the I&A/OPS Momentum application environment and\n   supporting system infrastructure, including highly-privileged administrative and access, that was\n   inconsistent with the segregation of duties principles defined by DHS policy.\n\nRecommendations\n\nWe recommend that the FLETC Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO), in coordination with the DHS OCIO and the DHS OCFO, make the following\nimprovements to FLETC\xe2\x80\x98s and I&A/OPS\xe2\x80\x99 financial management systems and associated IT security\nprogram.\n\nAccess Controls\n\n\xef\xbf\xbd\t Implement monitoring controls over the audit log review process to ensure that all required auditable\n   events are being reviewed by management on a periodic basis, are documented, and audit log review\n   evidence is maintained in accordance with DHS and FLETC requirements.\n\n\xef\xbf\xbd\t Implement technical controls to ensure that passwords for GAN accounts are configured in\n   accordance with DHS requirements.\n\n\n\n                                                   5\n\n\x0c                                   Department of Homeland Security\n                              Information Technology Management Letter \n\n                               Federal Law Enforcement Training Center\n\n                                         September 30, 2013\n\n\n\xef\xbf\xbd\t Implement monitoring controls over the account management process specific to FLETC and\n   I&A/OPS contractors with access to the respective Momentum environments, including periodic\n   notification of separated or transferred contractors and periodic revalidation of authorized contract\n   personnel, to ensure that access to the applications remains current and commensurate with job\n   responsibilities in accordance with DHS and FLETC requirements.\n\n\xef\xbf\xbd\t Implement technical controls to enforce DHS and FLETC requirements related to implementation of\n   account inactivity controls, and implement monitoring controls to review and ensure continued\n   compliance with account inactivity requirements.\n\n\xef\xbf\xbd\t Implement monitoring controls over the account management process to ensure that granting,\n   modification and revocation of access to the FLETC and I&A/OPS Momentum environments,\n   including generic accounts, are authorized, documented, and performed timely and in accordance with\n   DHS and FLETC requirements.\n\nSegregation of Duties\n\n\xef\xbf\xbd\t Implement additional monitoring controls over I&A/OPS Momentum access, in particular for highly-\n   privileged and administrative access, to ensure that segregation of duties principles are enforced in\n   accordance with DHS and FLETC policy.\n\n\n\n\n                                                   6\n\n\x0c                                    Department of Homeland Security\n                               Information Technology Management Letter \n\n                                Federal Law Enforcement Training Center\n\n                                          September 30, 2013\n\n\n                                   IT APPLICATION CONTROLS\n\nDuring the FLETC and I&A/OPS component of the FY 2013 DHS financial statement audit, we\nidentified the following IT application control and financial system functionality deficiency:\n\nFinding\n\n\xef\xbf\xbd\t The I&A/OPS instance of the Momentum application lacked controls to prevent or detect the\n   processing of multiple payment vouchers referencing the same invoice, which could result in the\n   recording of improper expenses in the general ledger.\n\nRecommendation\n\n\xef\xbf\xbd\t While we noted that FLETC management corrected the deficiency described above, we recommend\n   that the FLETC OCFO and OCIO, in coordination with the DHS OCFO and the DHS OCIO, continue\n   to implement appropriate monitoring controls to ensure that required system configurations, including\n   the invoice control tolerance settings, are properly implemented to ensure the continued effectiveness\n   of preventative or detective controls related to key financial line items and assertions material to the\n   DHS consolidated financial statements.\n\n\n\n\n                                                    7\n\n\x0c                       Department of Homeland Security\n                  Information Technology Management Letter \n\n                   Federal Law Enforcement Training Center\n\n                             September 30, 2013\n\n\n\n\n                             Appendix A \n\nDescription of Key FLETC and I&A/OPS Financial Systems and IT \n\n  Infrastructure within the Scope of the FY 2013 DHS Financial \n\n                         Statement Audit \n\n\n\n\n\n                                     8\n\n\x0c                                                                                               Appendix A\n\n                                    Department of Homeland Security\n                               Information Technology Management Letter\n                                Federal Law Enforcement Training Center\n                                          September 30, 2013\n\n\nBelow is a description of significant FLETC and I&A/OPS financial management systems and supporting\nIT infrastructure included in the scope of the FLETC and I&A/OPS component of the DHS FY 2013\nfinancial statement audit.\n\nFinancial Accounting and Budgeting System (FABS)\n\nThe FLETC FABS application (also referred to as Momentum) is an all-in-one financial processing\nsystem. It functions as the computerized accounting and budgeting system for FLETC. FLETC provides\nfinancial management services to I&A/OPS through a separately hosted Momentum environment, which\nwas developed to mirror the FLETC Momentum environment. The FABS system exists to provide all of\nthe financial and budgeting transactions in which FLETC is involved. FABS system users are from all\nFLETC sites that input requisitions and managers that approve receipt of property and manage the\nproperty asset records and financial records for contracts, payments, payroll, and budgetary transactions.\nHosted on a Microsoft Server 2003 and Oracle Linux Server, the FABS application (Oracle Web Logic)\nand database (Oracle 10g) servers reside on the FLETC GAN in a Hybrid physical network topology and\nare accessible from four sites: Georgia (GA), DC, New Mexico, and Maryland. The system owner and\nresponsible office is the Finance Division Chief in the FLETC OCFO.\n\nGlynco Administrative Network (GAN)\n\nThe purpose of GAN is to provide access to IT network applications and services to include video and\nvoice teleconferencing to authorized FLETC personnel, contractors and partner organizations located at\nthe Georgia facility. It provides authorized users access to email, internet services, required applications\nsuch as Financial Management Systems, Procurement systems, Property management systems, Video\nconference, and other network services and shared resources. The GAN is located in GA and is owned\nand operated by the FLETC OCIO.\n\n\n\n\n                                                     9\n\n\x0c                     Department of Homeland Security\n                Information Technology Management Letter \n\n                 Federal Law Enforcement Training Center\n\n                           September 30, 2013\n\n\n\n\n                           Appendix B \n\nFY 2013 IT Notices of Findings and Recommendations at FLETC \n\n                         and I&A/OPS\n\n\n\n\n\n                                   10\n\n\x0c                                                                                                                               Appendix B\n\n                                                      Department of Homeland Security\n                                                 Information Technology Management Letter \n\n                                                  Federal Law Enforcement Training Center\n\n                                                            September 30, 2013\n\n\nFY 2013 NFR #                                       NFR Title                                 FISCAM Control Area         New     Repeat\n                                                                                                                          Issue    Issue\nFLETC-IT-13-01   FLETC Momentum Audit Log Reviews not Consistently Maintained                     Access Controls          X\nFLETC-IT-13-02   Weakness in GAN Password Complexity                                              Access Controls          X\nFLETC-IT-13-03   FLETC Momentum Account Management not Consistently Performed                     Access Controls          X\nFLETC-IT-13-04   Momentum Application Inactivity Lockout is not Appropriately Configured          Access Controls          X\nFLETC-IT-13-05   FLETC Contractor Separation not Fully Monitored                                  Access Controls          X\nIAOPS-IT-13-01   IA&OPS Momentum Audit Log Reviews not Consistently Performed in a Timely         Access Controls          X\n                 Manner\nIAOPS-IT-13-02   IA&OPS Segregation of Duties not Fully Enforced                                Segregation of Duties      X\nIAOPS-IT-13-03   IA&OPS Momentum Account Management not Consistently Performed                    Access Controls                   X\nIAOPS-IT-13-04   Momentum Application Inactivity Lockout is not Appropriately Configured          Access Controls          X\nIAOPS-IT-13-05   IA&OPS Contractor Separation not Fully Monitored                                 Access Controls          X\nIAOPS-IT-13-06   Multiple Payment Vouchers can be Processed Against the Same Invoice          Business Process Controls    X\n\n\n\n\n                                                                      11\n\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n   Appendix A\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Under Secretary for Management\n   Chief Financial Officer\n   Chief Information Officer\n   Chief Information Security Officer\n   Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                                            OIG-14-84\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'